W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2014

Re: Removal of the note about extensions

From: Mike \ <pomax@nihongoresources.com>
Date: Mon, 24 Feb 2014 09:02:19 -0800
Message-ID: <530B7B1B.6090708@nihongoresources.com>
CC: "public-webappsec@w3.org" <public-webappsec@w3.org>
On 2/24/2014 5:31 AM, Mike West wrote:
> With this in mind, I'm inclined to add a non-normative note to the 
> spec along the lines of "Note that user agents are encouraged to allow 
> third-party add-ons and JavaScript bookmarklets to bypass policy 
> enforcement, either implicitly or based on the user's preference."

It would be even nicer if it could be made solution-agnostic, simply 
stating that UA are encouraged to allow users to override CSP either 
through UA-preferences or through third-party added functionality. If we 
come up with a third thing to supplement addons and bookmarklets, the 
suggested clause will run into an enumeration problem (it's hard to 
future-proof explicit lists). That said, putting a clause like this back 
in has my vote, even if phrased as above.

- Mike "Pomax" Kamermans
Received on Monday, 24 February 2014 17:04:19 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:04 UTC